CS 55 | Security and Privacy

Course description

ORC: The migration of important social processes to distributed, electronic systems raises critical security and privacy issues. Precisely defining security and privacy is difficult; designing and deploying systems that provide these properties is even harder. This course examines what security and privacy mean in these settings, the techniques that might help, and how to use these techniques effectively. Our intention is to equip computer professionals with the breadth of knowledge necessary to navigate this emerging area.

Learning objectives

The goal of this course is to introduce you to fundamental concepts in security and privacy. More specifically we will examine:

Adversaries: what types of adversaries we are up against? What are their motivations? How can we implement multi-level security to protect information of varying levels of sensitivity
Cryptography: secure hashing as well as symmetric and asymmetric encryption to protect data and assist authentication
Common attacks: we will implement classic attacks against computer systems including buffer overflows, return-oriented programming, SQL injection, cross-site scripting, and packet sniffing/spoofing. We will also examine other types of attacks including side channel exploitation and social engineering. Our goal will be to understand the techniques and strategies adversaries commonly use to exploit systems
Defensive tools: firewalls, vpns, biometrics, and physical security
Security operations: security management and team leadership as well as secure systems development and penetration testing
Privacy and the law: ethical, legal, and economic aspects of security and privacy
The future: topics on the horizon including the Internet of Things (IoT) and cyber war.

Throughout we will have several guest lectures from experts working in the field. See the schedule page for more details.

We will also discuss real-world techniques to compromise security and privacy along with their countermeasures. While we will take the role of system defenders, it is critically important for us to understand the techniques adversaries will use to compromise systems so we can provide robust defenses. You could get into legal trouble if you apply these adversarial techniques without permission. Do NOT use these adversarial techniques against Dartmouth or other organizations where you are not authorized.

Prerequisite CS 50 (CS51 and CS30 highly recommended). In addition, I will also assume you are familiar with both C and Python.

Who, when, where

Instructor: Tim Pierson | 210 Sudikoff
office hours: maintained on Canvas calendar and by appointment.
Teaching assistant: Sayanton Dibbo
office hours: maintained on Canvas calendar.
Lectures: D-hour | MWF 11:45am - 12:50pm Eastern time zone | Online
See Zoom link on Canvas for virtual meetings.; Lectures will be online and recorded this term using Zoom — see Canvas for access details. When you join the online meeting, please turn on your camera but mute your microphone. If you have a question, please hit the "Raise hand" button on Zoom. If I do not call on you in a short period of time, please unmute and ask. We will work out more rules as we go...; I do not plan to regularly use x-hours, but I may sometimes use them for missed classes, to catch up on material, or for optional, informal session to work through examples. Make sure to keep this time slot free in case we need to use it.; We will frequently have in-class exercises to try out new concepts. Google and StackOverflow will be your friend, do not hesitate to use them unless instructed otherwise!
Help: Office hours: Office hours will also be online via Zoom. I will be available online during posted office hours, even if there are no questions. If you'd like to set up a private meeting, email me and we will find a time to speak.
Help: Slack: Look for a link to Slack on the Canvas nav bar and sign up. I strongly encourage you to ask and answer questions there.
Announcements: Monitor Canvas for periodic course-wide announcements.
Textbook: Security in Computing, 5th edition, by Pfleeger, Pfleeger, and Margulies. While the Pfleeger book will be our primary textbook, and all assigned reading will be from that textbook, other useful resources are:

Security Engineering, 3rd edition, by Anderson

Computer & Internet Security by Du

Social Engineering, The Science of Human Hacking, 2nd edition, by Hadnagy

The Craft of System Security by Smith and Marchesini.; Grades in this class will be a combination of several lab assignments, a midterm exam, a final exam, and class participation. A total score of at least 60% is required to pass this course.; There will be five lab assignments (aside from Lab 0 which is simply to gather information) that together account for 50% of the grade in this course. Each lab is worth 10% of the final grade.
Requirements for lab submissions:: Labs are designed to be completed outside of class and must be submitted electronically via Canvas before the deadline indicated on Canvas. Even when a lab has some written exercises, you are required to either type in a file or scan your written work and submit it electronically. To submit output from your program, submit a copy-pasted file in pdf format and/or a screenshot, as appropriate. For plain text, you can use a program like TextEdit, NotePad, or Emacs, or even Word, but be sure to save as a pdf. For a screen shot, you can use Preview on Mac (under the "File" menu) or the PrntScrn button on Windows.
Lab partners: For each lab you work with two other people (e.g., groups of three). In addition:

You will get two new randomly selected (with replacement) partners for each lab

Collect all your code files into a single zip file and upload that zip, rather than many separate files

One partner can submit on behalf of all three partners

Note in the Canvas text box for each lab the names of all three partners

All three partners will receive the same grade for the lab.
Late policy: Due via Canvas on the date and time noted on Canvas assignment. Penalties: < 8 hours: 10%; < 24 hours: 20%; < 48 hours: 40%; more: no credit.
Grading: Specific grading rubrics will be provided for each lab.; There will be a midterm and a final, each worth 20% of the final grade. You may use the course textbook, your notes, and any material posted on this course web site. You may not use the Internet to search for exam answers.
If you have questions about your exam score, or would like a question re-graded, see your TA within one week from the date that the exam was returned to the class. If you request a re-grade of a particular question, we reserve the right to re-grade your entire exam.; Most classes will have a discussion portion where we consider the topic of the day. In some cases there will be no right or wrong answer — we will all benefit from a diverse set of perspectives. Many classes will have a hands-on portion where we will work through a series of problems on a live computer system. At the end of this portion of class you may be randomly selected (with replacement) to present your solution. Your presentation will be graded as follows:

0: Nothing of substance

1: Your solution needs significant work

2: Correct or mainly correct.

If you are unable to attend the live class via Zoom due to time zone issues, but you are randomly selected, post your solution on Canvas prior to the next class period. You can also participate in the discussion via Slack.

Collaboration

Even though you will work with two other people on the lab assignments, you are still responsible for understanding the entire assignment. That means that splitting the coding into pieces, doing your part, and never looking at your partner's parts is not a good idea. You can learn a lot by reading your partner's code and figuring out how it works, whether it is correct, and how it might be improved. You can also catch things like poor or missing comments that could cost you style points when the assignment is graded.

When working with partners, I suggest that you borrow a practice from Extreme Programming, a method of writing code that many businesses find quite effective. One person (the driver) sits at the keyboard. The other person (the navigator) looks at the (virtual) screen as the driver types, asking questions, making suggestions, and catching errors. Both of you will understand the code better if you discuss it as it is written than if you just write it (or read it) by yourself. Regularly trade off who is driver and who is navigator.

The usual reaction to this idea is, "that will take twice as long!" In practice it is usually faster than each person programming alone. The reason is that errors are caught earlier, and the amount of time are saved when debugging more than makes up for the lack of parallelism in code writing. Also, the code tends to be better written. These are some of the reasons why this idea has been adopted in industry.

Online recording

I will record class sessions on Zoom and will post those videos. My plan will be not to record any office hours, certainly not one-on-one, but not small groups either. If I think that a question or answer from office hours would be good for the entire class to see, I will prepare a separate note or video, or include it in the next lecture. This is what I do normally in my classes. If I hold a problem session or X-hour where the entire class is invited to come prepared with questions, I will record that because it is essentially a class session. But I will probably edit it before posting so that it's quicker for you to rewatch

From the Associate Dean of the Sciences to students regarding recording of class sessions:

NOTIFICATION TO STUDENTS

(1) Consent to recording of course and group office hours

By enrolling in this course,

a) I affirm my understanding that the instructor may record this course and any associated group meetings involving students and the instructor, including but not limited to scheduled and ad hoc office hours and other consultations, within any digital platform used to offer remote instruction for this course;

b) I further affirm that the instructor owns the copyright to their instructional materials, of which these recordings constitute a part, and my distribution of any of these recordings in whole or in part without prior written consent of the instructor may be subject to discipline by Dartmouth up to and including expulsion;

(2) Requirement of consent to one-on-one recordings

By enrolling in this course, I hereby affirm that I will not under any circumstance make a recording in any medium of any one-on-one meeting with the instructor without obtaining the prior written consent of all those participating, and I understand that if I violate this prohibition, I will be subject to discipline by Dartmouth up to and including expulsion, as well as any other civil or criminal penalties under applicable law.

Technology requirements

Given the online nature of this course, it is required that students have the ability to stream 1 hour or less of video content each day. We will do our very best to plan for and accommodate any limitations to your access to the required technology. It is impossible for us to plan for every possible technology constraint. Therefore, please let us know what barriers you have to completing the online course as soon as possible. Given current disruptions in the supply chain we would like to plan as far ahead as possible.

Honor code

Dartmouth's honor code applies to this course, and academic misconduct policies will be strictly enforced. I will report suspected cases of cheating to the Undergraduate Judicial Affairs Officer. I also reserve the right to assign a failing grade for an assignment or an exam if I conclude that the honor principle has been violated, regardless of the finding from the Committee on Standards. If you have questions, ask!

I realize that it can be hard to decide when you might be violating the Academic Honor Principle, so here is a good rule of thumb. If you are talking in normal English (or Chinese or German or some other natural language) you are probably OK. If you find yourself talking in C or Python code, you have crossed the line. So saying, "Your program runs forever because you have the wrong condition in the while loop" is OK. But saying, "Change while (x == 0) to while (x > 0)" is not.

If you have any questions about whether what you're doing is within the Academic Honor Principle, do not hesitate to check with me. If it's late and you can't get hold of me, you're better off erring on the side of caution.

Most violations of the Academic Honor Principle come down to failure to cite work that is not yours. If your code benefited from your friend Elvira's code, but you did not indicated that and represented it as your work alone, then you either intended to deceive or were careless about citing. Either case is a violation of the Academic Honor Principle. If you copy your entire program from Elvira but include the comment, "This code was copied in its entirety from Elvira," then you cited properly, though you didn't actually do the work. In this latter case, I would not report a violation of the Academic Honor Principle, though your grade on the assignment would be 0. But that would be far preferable to a Committee On Standards hearing.

The same goes for code that you find in some other book or on the Internet. You are in violation of the Academic Honor Principle if you fail to attribute your sources.

See this link for more information on Dartmouth's Academic Honor Principle.

Accessibility Needs

Students requesting disability-related accommodations and services for this course are encouraged to schedule a phone/video meeting with me as early in the term as possible. This conversation will help to establish what supports are built into my online course. In order for accommodations to be authorized, students are required to consult with Student Accessibility Services (SAS; student.accessibility.services@dartmouth.edu; SAS website; 603-646-9900) and to email me their SAS accommodation form. We will then work together with SAS if accommodations need to be modified based on the online learning environment. If students have questions about whether they are eligible for accommodations, they should contact the SAS office. All inquiries and discussions will remain confidential.

Mental Health

The academic environment at Dartmouth is challenging, our terms are intensive, and classes are not the only demanding part of your life. There are a number of resources available to you on campus to support your wellness, including your undergraduate dean, Counseling and Human Development, and the Student Wellness Center.

Religious Observances

Some students may wish to take part in religious observances that occur during this academic term. If you have a religious observance that conflicts with your participation in the course, please meet with me before the end of the second week of the term to discuss appropriate accommodations.

COVID-19 addendum

While the COVID-19 pandemic has already drastically disrupted this course, it has the potential to result in further personal impact which may prevent you from continuing engagement in the class. This may be due to contraction of the disease by you or a loved one, increased familial responsibilities, financial difficulties, or impacts on your mental/emotional health.

We have structured the course so that these disruptions will not necessarily prevent you from successfully completing this course. First, we will record and post each lecture. This will enable flexible viewing of the course content. Second, we will schedule opportunities for live interaction with the instructor and TA during diverse times throughout the week. Third, the labs have been redesigned so that they can be completed at home.

In the event that you are directly or indirectly impacted by COVID-19 in such a way that will affect your performance in the course, it is imperative that you reach out to the instructor as soon as possible. You may also reach out to your undergraduate Dean if that would make you more comfortable. We cannot assist you if we don’t know there is a problem. Our first priority is your health and security. We will work to put you in touch with appropriate resources to assist you. In addition, appropriate accommodations (for example: deadline extensions and/or extra office hours) will be implemented.

Acknowledgment

This course is closely based on one originally developed by Dr. Charles Palmer. I am deeply indebted to this excellent educator for all of his hard work and generous assistance in creating this course.